Kibana Wazuh Agent isn't showing anything in integrity
-
And SSL on an Internal only webpage is a PITA.
-
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ I think the issue is with Search Guard, as I can't get to the address:9200/?pretty as it errors with a certificate issue.
Also if you are truly using SSL then you wont be able to send an unauthenticated query
Dec 17 14:42:09 wazuh.localdomain kibana[942]: {"type":"log","@timestamp":"2019-12-17T19:42:09Z","tags":["warning","searchguard"],"pid":942,"message":"\"Do not fail on forbidden\" is not enabled. Please refer to the documentation: https://docs.search-guard.com/latest/kibana-plugin-installation#configuring-elasticsearch-enable-do-not-fail-on-forbidden"} Dec 17 14:42:09 wazuh.localdomain kibana[942]: {"type":"log","@timestamp":"2019-12-17T19:42:09Z","tags":["status","plugin:[email protected]","info"],"pid":942,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"} Dec 17 14:42:55 wazuh.localdomain filebeat[1703]: 2019-12-17T14:42:55.659-0500 ERROR pipeline/output.go:100 Failed to connect to backoff(elasticsearch(http://192.168.1.100:9200)): Get http://192.168.1.100:9200: EOF Dec 17 14:42:55 wazuh.localdomain filebeat[1703]: 2019-12-17T14:42:55.659-0500 INFO pipeline/output.go:93 Attempting to reconnect to backoff(elasticsearch(http://192.168.1.100:9200)) with 6 reconnect attempt(s) Dec 17 14:43:52 wazuh.localdomain filebeat[1703]: 2019-12-17T14:43:52.263-0500 ERROR pipeline/output.go:100 Failed to connect to backoff(elasticsearch(http://192.168.1.100:9200)): Get http://192.168.1.100:9200: EOF Dec 17 14:43:52 wazuh.localdomain filebeat[1703]: 2019-12-17T14:43:52.263-0500 INFO pipeline/output.go:93 Attempting to reconnect to backoff(elasticsearch(http://192.168.1.100:9200)) with 7 reconnect attempt(s) -
Which that is tied in specifically with the Safe Guard plugin
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
Which that is tied in specifically with the Safe Guard plugin
If its on the same host, then just do a nginx reverse proxy.
-
Also do iptables rules to block all incoming 9200 and 5601 traffic as you will not need it
-
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
Which that is tied in specifically with the Safe Guard plugin
If its on the same host, then just do a nginx reverse proxy.
(I've never set one up)
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
Which that is tied in specifically with the Safe Guard plugin
If its on the same host, then just do a nginx reverse proxy.
(I've never set one up)
Install NGINX
apt-get -y install nginxGenerate self-signed cert for Kibana
mkdir -p /etc/ssl/certs /etc/ssl/private openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/kibana-access.key -out /etc/ssl/certs/kibana-access.pemSetup config file for NGINX
cat > /etc/nginx/sites-available/default <<\EOF server { listen 80; listen [::]:80; return 301 https://$host$request_uri; } server { listen 443 default_server; listen [::]:443; ssl on; ssl_certificate /etc/ssl/certs/kibana-access.pem; ssl_certificate_key /etc/ssl/private/kibana-access.key; access_log /var/log/nginx/nginx.access.log; error_log /var/log/nginx/nginx.error.log; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://localhost:5601/; } } EOFEnable authentication by password for Kibana
apt-get -y install apache2-utilsSet username and password for Kibana access. Replace <user> with your desired username
htpasswd -c /etc/nginx/conf.d/kibana.htpasswd <user>Restart NGINX
systemctl restart nginx -
@IRJ Okay, ran all of that.
How do I confirm the reverse proxy is working properly now?
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ Okay, ran all of that.
How do I confirm the reverse proxy is working properly now?
access kibana on 443 and it should prompt you for a pw
-
@IRJ nothing, it just spins. I assume I need to allow 443 through firewall-cmd?
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ nothing, it just spins. I assume I need to allow 443 through firewall-cmd?
Not that. . .
-
Nginx just isn't doing it. Being the first time I've set this up doesn't really help either.
-
Well I'm making progress, I at least have nginx responding when I hit the page with An error occurred during a connection to 192.168.1.100:5601. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
server { listen 80; listen [::]:80; listen 5601; listen [::]:5601; return 301 https://$host$request_uri; } server { listen 443 ssl; listen [::]:443; ssl_certificate /etc/pki/tls/certs/kibana-access.pem; ssl_certificate_key /etc/pki/tls/private/kibana-access.key; access_log /var/log/nginx/nginx.access.log; error_log /var/log/nginx/nginx.error.log; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://localhost:5601/; } } -
Without the 5601 ports and if I add under
serverssl on;the connection just never responds and times out. -
Looks like a permissions issue for the kibana user.
Dec 18 09:08:25 wazuh.localdomain kibana[11090]: {"type":"log","@timestamp":"2019-12-18T14:08:25Z","tags":["fatal","root"],"pid":11090,"message":"{ Error: EACCES: permission denied, open '/etc/pki/tls/private/kibana-access.key'\n at Object.openSync (fs.js:439:3)\n at readFileSync (fs.js:344:35)\n at getServerOptions (/usr/share/kibana/src/core/server/http/http_tools.js:81:33)\n at HttpServer.setup (/usr/share/kibana/src/core/server/http/http_server.js:68:60)\n at HttpService.runNotReadyServer (/usr/share/kibana/src/core/server/http/http_service.js:137:26)\n at HttpService.setup (/usr/share/kibana/src/core/server/http/http_service.js:60:18)\n errno: -13,\n syscall: 'open',\n code: 'EACCES',\n path: '/etc/pki/tls/private/kibana-access.key' }"} Dec 18 09:08:25 wazuh.localdomain kibana[11090]: FATAL Error: EACCES: permission denied, open '/etc/pki/tls/private/kibana-access.key'Looking into that.
-
Finally got the website to respond via ssl at
https://192.168.1.100:5601/kibanabut I didn't get greeted with a nginx login page. . . -
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
Well I'm making progress, I at least have nginx responding when I hit the page with An error occurred during a connection to 192.168.1.100:5601. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
server {
listen 80;
listen [::]:80;
listen 5601;
listen [::]:5601;
return 301 https://$host$request_uri;
}server {
listen 443 ssl;
listen [::]:443;
ssl_certificate /etc/pki/tls/certs/kibana-access.pem;
ssl_certificate_key /etc/pki/tls/private/kibana-access.key;
access_log /var/log/nginx/nginx.access.log;
error_log /var/log/nginx/nginx.error.log;
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
proxy_pass http://localhost:5601/;
}
}Why are you listening on 5601?
proxy_pass http://localhost:5601/;will redirect 5601 to443 -
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
Well I'm making progress, I at least have nginx responding when I hit the page with An error occurred during a connection to 192.168.1.100:5601. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
server { listen 80; listen [::]:80; listen 5601; listen [::]:5601; return 301 https://$host$request_uri; } server { listen 443 ssl; listen [::]:443; ssl_certificate /etc/pki/tls/certs/kibana-access.pem; ssl_certificate_key /etc/pki/tls/private/kibana-access.key; access_log /var/log/nginx/nginx.access.log; error_log /var/log/nginx/nginx.error.log; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://localhost:5601/; } }Why are you listening on 5601?
proxy_pass http://localhost:5601/;will redirect 5601 to443That is no longer in the file, I was testing with it. The below is current.
server { listen 80; listen [::]:80; return 301 https://$host$request_uri; } server { listen 443 ssl; listen [::]:443; ssl on; ssl_certificate /etc/pki/tls/certs/kibana-access.pem; ssl_certificate_key /etc/pki/tls/private/kibana-access.key; access_log /var/log/nginx/nginx.access.log; error_log /var/log/nginx/nginx.error.log; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://localhost:5601/;
